RubyGems.org hacked via YAML parsing vulnerability

RubyGems website(RubyGems.org) hacked via an YAML parsing vulnerability. RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries

According to Heroku status, at least one malicious gem was uploaded which potentially had access to sensitive data, including credentials necessary to tamper with gems.

RubyGems team is verifiying all gems since it’s unknown which have been tampered with. The verification process will start with the latest version of all gems, then most popular version, then the rest of the versions.

The team have disabled deploys of ruby applications until they gain confidence that no gems have been compromised. Users wishing to work around this can deploy at their own risk by setting a custom BUILDPACK_URL as shown in the instructions on GitHub. However, they strongly discourage its use until they have determined the authenticity of all gems.

"While the RubyGems team is continuing to investigate audit logs and compare all gems against external known-good copies, there has been no evidence yet that any gems have been malicious modified. As a precaution, Ruby deploys that require external gem servers continue to be disabled." Heroku status reads.

The recent status update from Heroku says that RubyGems team verified that 80% of all gems stored in the rubygems.org are unmodified.